"Dark Sleeper"--new attack mode of mobile phone virus

Recently, Baidu Security Laboratory found a "dark sleeper" new mobile phone virus. The virus is attached to many wallpapers and game applications. Up to now, the virus has been found to have more than 10,000 applications, more than 30 million infected users.

the malicious behavior of the virus is as follows:
1, the background exploit system vulnerabilities to get temporary root permissions.
2, after obtaining the temporary root permission, installs the SYSPHONES.APK malicious program for the system software, installs the root backdoor program Zy to the/system/bin directory.
3, sysphones.apk according to server-side instructions silently download, installation and application, and can be installed according to the instructions of the system software, so that it can not be uninstalled.
4, other unknown potential malicious behavior.


first, the use of system vulnerabilities to obtain temporary root mode

The mobile virus takes advantage of the vulnerability of the well-known root tool framaroot to gain temporary root privileges.
(http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276)
Framaroot integrates a number of Android system vulnerabilities rooted in the code and is currently able to provide root capability for nearly 400 Android devices, with the following list of supported devices:
(http://forum.xda-developers.com/apps/framaroot/framaroot-supported-devices-t2722980)
Framaroot Key features are integrated in the Libframalib.so library, which provides two interfaces for the Java layer to invoke:
Check interface: detects a device vulnerability and returns a list of vulnerabilities.
Launch interface: According to the name of the incoming vulnerability, execute the appropriate exploit code to get root.
After Root successfully installs the superuser.apk and Su files that are included in the so library to the system directory.
The virus skillfully exploits the Framaroot's work mechanism and constructs a malicious fakeframaroot in the form of key data replacements. As shown in the following:

through the key data substitution method cleverly utilized the Framaroot root ability, after obtaining the temporary root permission, installs the replacement malicious sysphones.apk for the system application, installs the Zy to the/system/bin directory, zy as the backdoor program, Provides the ability of the sysphones.apk to execute commands with the root user.
 
 

 
According to detected data, the application of the Trojan was first appeared in February 2014, to be detected has been silently dormant for 9 months, the virus uses the following ways to achieve the concealment of malicious behavior:
1 , through anti-debugging technology, key malicious code native, key code data encryption, network communication data encryption and other ways to hinder the reverse analysis.
2, the key Malicious behavior code cloud download, dynamic loading.
3, malicious behavior cloud dynamic trigger, the behavior is controllable.
 
 
Three, dark sleeper working principle
 
After a complete reverse analysis of the code, the entire mobile phone Trojan works as shown:
 

 
 
Four, malicious code analysis
 
embedded in the application of malicious code has two parts:
1, Com.android.luahc[java]
upload device information to the command server, and download the malicious code fakeframaroot.so Library according to the instructions returned by the instruction server.
2, Libluahc.so[native]
calls the fakeframaroot.so library, triggering the malicious behavior of getting temporary root permissions, installing sysphones.apk and Zy.
 
The mobile Trojan will not fire immediately after installation and will not trigger malicious behavior until the next time the device restarts. All key strings such as URLs, paths and other information are encrypted and stored in a byte array, so as to avoid the current anti-virus software Avira.
 

All network communication data is encrypted, and the following is the Com.android.luahc[java] request instruction server to obtain the network interaction data of the Fakeframaroot.so library:
Request the server to obtain the fakeframaroot directive:

The server returns the following data:

After decryption, the server returns the following data:

Http://106.187.44.144/qwe

Com.android.luahc[java] Get to download the file and save it as libframalib.so1,libframalib.so1 as a compressed file, extract the libframalib.so file after extracting:

Com.android.luahc[java] indirectly loads fakeframaroot.so library functions by calling libluahc.so.

Libluahc.so the Assets/tenatt file is included in the app installation package, the runtime is released to the file directory and loaded by the Com.android.luahc[java] layer. The functions are as follows:
1, in the jni_onload by calling Ptrace to achieve anti-debugging purposes:

2. Load the fakeframaroot.so library and call the check interface to get a list of vulnerabilities

3. Load fakeframaroot.so Library and call launch interface for Root

 
Fakeframaroot.so After obtaining the temporary root permission, installs the malicious sysphones.apk for the system application, installs the Zy to the/system/bin directory, zy as the backdoor program, Provides the ability of the sysphones.apk to execute commands with the root user.
 
sysphones.apk Malicious program code structure as follows:
 

 
sysphones.apk boot automatically after boot, background request Server to obtain instructions, and according to the server instructions silently download, installation and popularization. The
request data is as follows:
 

 
Decryption server returns the following results:
Org.zxl.appstats 4.0 http://dl.appfreestore.com/1104/ appstats.apk 1 0
 
Return instruction format:
[package name] [version] [] [whether installed as System Application (1: System application)] [reserved]
 
Decrypt and parse the return result code as follows:
 

Build the command script according to the instructions:

Get the password parameters required to invoke the Zy executable through sysphones.apk libsysphones.so:

Call the Zy program to execute the build command script:

Zy as the root backdoor in the system directory, it receives externally forwarded instructions, and executes the incoming shell command as root.
The calling format is:
Zy Password command
Password: obtained through libsysphones.so in sysphones.apk, which ensures that the backdoor is only available to malicious developers.

"Dark Sleeper"--new attack mode of mobile phone virus